Posted by: Arian Eigen Heald
Compliance, IT audit, SAS 70, Security, SOX
When I do an audit and request that my client give me SAS 70 reports from his/her critical financial vendors, I am often amazed (or appalled) at what I get to read.
My team performs about 20-25 SAS 70 Type IIs every year, and maybe 2 SAS 70 Type I exams. Why the big difference? Type II exams actually test the controls the service organization says it has in place. In a Type I, all we test is that the company says it has controls, and that those controls appear adequate. BIG difference. It’s also a big difference in price for the service organization, so that companies try to get a Type I if they can.
Sometimes a service company will start with a Type I, planning to go to a Type II. I’m inclined to recommend getting a SAS 70 readiness assessment, then completing a Type II – it saves money and makes clients happier. More on this later.
Also, Type I exams only look at what control procedures are in place at the time the service auditor comes to visit (called “Point in Time,” appropriately enough). They can throw out the controls the day after that. So this type of SAS 70 has limited value to clients (your company).
For Type II exams, we test over a period of time, say the six months, or nine months, or 1 year previous, to ensure that the controls were in place and effective. The downside is that it is previous time testing, so if the controls fall apart three months after the test, I can’t report that until (or if) I come back for the next test. But it does give considerably more assurance that controls are in place, if you can see that in the previous year what we have tested is in place.
SAS 70 exams must be signed off on by a certified public accountant, even if CISAs are doing the testing on site. Make sure the company that did the test for your outsourced service is exactly that. Otherwise, the report is not legal in a court of law.
I have seen proposals (just two weeks ago, from a very big service company, as a matter of fact) that announced they were “doing” a SAS 70 as part of their security; number one, they can’t “do” one, and number two, a SAS 70 isn’t a “security” exam.
It’s an exam to provide reasonable assurance to the client company’s internal financial auditors.
So, when reading the report, you’ll want to pay attention to the sections that describe what they’re doing to protect YOUR data. If your company is using a specific application over the web, what are they doing to provide safeguards for your data on that web server or database?
A little over a year ago I reviewed a report on exactly this issue; the report tested the office Windows Domain for good control practices but never addressed any controls over their application web server: a Linux box. (Scary, isn’t it?)
There’s generally several sections to the SAS 70 report, and it’s worth knowing what to look for in each section. We’ll touch on that next.